Some Android apps caught covertly sending GPS data to advertisers

Researchers have found that a significant number of Android applications are …

The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user. The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.

They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user's location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy.

The Android operating system has an access control mechanism that limits the availability of key platform features and private user information. Third-party applications that rely on sensitive features have to request permission during the installation process. The user has the option of canceling the installation if they do not wish to give the application access to the specific features that it requests. If a user starts to install a simple arcade-style game and finds out that it wants access to the user's GPS coordinates, for example, the seemingly suspicious permission request might compel the user to refrain from completing the installation process.

It's a practical security measure, but one critical limitation is that there is no way for the user to discern how and when the application will use a requested feature or where it will send the information. To build on our previous example, the user might decide to grant an Android game access to their GPS coordinates so that the software can facilitate multiplayer matches with nearby users. The user has no way of knowing, however, whether the application is also transmitting that information to advertisers or using it for malicious purposes. Making the permission system more granular might potentially address those kinds of problems, but would also have the undesired affect of making it too complex for some users to understand. Indeed, there are already a lot of careless users who simply don't take the time to look at the permission listing or don't understand the implications.

Concerns about unauthorized access to private information by Android applications were raised earlier this year when a popular wallpaper application was found surreptitiously transmitting the user's phone number to a remote server in China. Google's investigation of the matter revealed that the developer of the application was simply using the phone number as a unique identifier for user accounts and was not threatening the user's security or doing anything nefarious. Google responded by publishing an overview of best practices for handling sensitive user information. Google temporarily disabled the application in the Android Market while performing a security review, but later reenabled it after finding no evidence of a serious threat.

Google's ability to remove unambiguously malicious applications from the Android Market protects users from the most egregious kinds of attacks, but obviously doesn't really address the multitude of gray areas where the implications of data collection and disclosure are more nuanced and don't constitute blatant abuse. It's really important to recognize that even highly invasive data collection by mobile applications doesn't necessarily pose a threat to users. There are millions of users who are happy to voluntarily concede privacy in exchange for free access to useful services. The key is that it has to be voluntary, which means that users have to know in advance that the information is going to be collected.

When a mobile advertising widget embedded in Android applications collects IMEI numbers so that it can correlate a user's activity across multiple applications for the purpose of extrapolating a behavioral profile that will support more effective targeted advertising, it's really not all that different from what prominent Internet advertising networks are already doing with cookies in the Web browser.

For a more invasive example, consider a mobile application that perhaps reads your SMS messages looking for information about what kind of products your friends mention so that it can advertise to you more effectively. In practice, it's not profoundly different from what Google does with contextual advertising in GMail. It wouldn't surprise me at all if the possibility of doing exactly these kinds of things was a major factor in inspiring Google to create Android in the first place. As smartphones become ubiquitous, it's likely that users will be expected to give up more of their privacy in order to get access to the next generation of hot mobile applications and services.

Invasive mobile data collection by advertisers isn't necessarily bad if users are getting something of value in return. The real issue is whether the practice is coupled with an appropriate level of transparency and disclosure to the end user. What separates a legitimate business practice from an unacceptable abuse in data collection is whether the user was made aware in advance of how data is collected, used, and shared so that they can choose to opt out or refrain from using the product if it shares their sensitive information in ways that make them uncomfortable. Such problems are obviously not specific to Android or mobile operating systems in general, but the fact that smartphone platforms provide standardized APIs for accessing certain kinds of sensitive information make them higher-risk targets for subtle privacy invasions.

As Google says in its list of best practices that developers should adopt for data collection, providing users with easy access to a clear and unambiguous privacy policy is really important. Google should enhance the Android Market so that application developers can make their privacy policies directly accessible to users prior to installing, a move that would be really advantageous for end users. When applications share information improperly, don't conform with the stipulations of their privacy policies, or aren't suitably transparent about their data collection practices, tools like TaintDroid will be a powerful asset for enabling savvy users and privacy watchdogs to expose such abuses. The researchers behind the TaintDroid project will soon be publishing their results and plan to make the TaintDroid application available to the public in order to encourage further investigations. Their efforts to raise awareness of data collection by mobile applications is an important contribution to the advancement of safe mobile computing.

135 Reader Comments

First of all, Apple apps have exactly the same problems, and no, it is not screened during the app review process. There was a recent study that found that many Apple apps were transmitting sensitive user data.

So if an application puts out a free version that makes money through advertising, is this inherently bad? If said app requests GPS statistics (something you see when installing the app) in order to attempt to send you ads that are actually somewhat relevant is this inherently bad?

Suppose I am willing to let them deliver ads, but I am not willing to let an unknown third party server monitor my whereabouts? Suppose I want to be sure that the app can only use GPS data while I am actually using it, not while it is in the background? Right now all Android offers is all or nothing - you can look at the list of things an app MIGHT want to do, and decide not to install it. But you don't have granularity of control.

First of all, Apple apps have exactly the same problems, and no, it is not screened during the app review process. There was a recent study that found that many Apple apps were transmitting sensitive user data.

There are two key differences.

1) When you install an Apple app, you have NO idea what services on the phone it has access to. On Android, it is blatantly labeled when you install the app. In fact, it is impossible for an app to access various parts of your phone without it displaying this at time of install.

2) Apps that track other apps are not allowed on the Apple market... therefore it is IMPOSSIBLE for YOU to figure out if your apps are doing nefarious things with your data. On Android, if you so desire, you can police your own phone (with apps like the one used in this article).

In short.

You will never know on an iphone what the apps are doing with your data. There is no way for you to find out.

On Android, they'll still be doing crappy stupid stuff, but at least there are MULTIPLE ways of you KNOWING what it is doing and doing something about it.

This is pure BS. My Apple docs specifically prohibit many of these behaviors. Link to your recent study please!

For Android, all you have shown are two links to apps for rooted phones which appears to have a 50/50 split between one and five star reviews and where many of the comments state the app doesn't work as advertised.

On most apps for rooted phones the one star reviews are mostly people using the app on phones that aren't rooted.

There's no requirement on Android to use ad-supported apps. If you don't want advertisers involved in your business don't use things paid for with their money.

Lastly, Smartphones are computers just like the PCs that we all have been using for years. Excluding single purpose computers like game consoles, I can't think of an OS that limits what you can use your computer for other than iOS. I didn't realize lack of choice was a desirable feature. Since when is is acceptable for the OS manufacturer to control the only software distribution channel? Would you buy a PC like that? I wouldn't.

So if an application puts out a free version that makes money through advertising, is this inherently bad? If said app requests GPS statistics (something you see when installing the app) in order to attempt to send you ads that are actually somewhat relevant is this inherently bad?

I'm just wondering because I look at what kinds of access an application is granted when I install it. If there is an application that I find valuable yet for whatever reason do not want to pay for, I might not mind anonymous stats being sent in order to serve be relevant ads and keep the application free. It's the same thing with pretty much any free service on the web. Chances are you either pay for it, look at ads, or provide valuable marketing data.

The problem with the apps in the article is that it's not done anonymously. Or do you consider sending your phone number to an advertiser something related to "anonymously"?

iOS warns me every time an app wants access to GPS, and I can allow or deny it. From what I know, non-anonymous data collections is forbidden by Apple (except when explicitly endorsed by the user), and such an app wouldn't be allow in the store.

Actual question, can someone prove me right or wrong with Apple's SDK's LA or EULA?

This is the reason why before I install an application I verify first the required permissions. If are not ok, but still I want to install the app then I disable Wi-Fi / Data connection. Sure, this works for applications like games or apps that are not online... Also, if I'm lazy to verify something from my phone, I use a site http://androlicious.com where I can see if an application is safe or not.

Freedom comes with responsibilities and the freedom of an open software market is no different.

I will gladly choose having to deal with problems like these in exchange for the benefits that an open software market provides. Besides, it is not like this is some kind of new problem. It is basically adware/spyware which people have been dealing with for a very long time now. It boils down to practicing good security habits.

More specifically, what Android users really need to use on a regular basis is software which by default blacklists all forms of communication until the user whitelists the app. Even better, the same software could add features which allow one to separately blacklist/whitelist communication which uses specific features like GPS while treating all other forms of communication within the app differently.

I will gladly choose having to deal with problems like these in exchange for the benefits that an open software market provides.

Agree, but I have to point out that in fact the situation in closed software markets is much worse, because you can't get tools to find out if you're being compromised, you rely entirely on Steve Jobs to perform complete analysis of the app and bless it (like the Pope certifying that all priests are problem-free.... very apt analogy in fact), and nobody can fix the problem except Steve.

So in other words, this isn't really an exchange situation. The closed platform has all the same problems, but just harder (maybe impossible) to detect and fix.

More specifically, what Android users really need to use on a regular basis is software which by default blacklists all forms of communication until the user whitelists the app. Even better, the same software could add features which allow one to separately blacklist/whitelist communication which uses specific features like GPS while treating all other forms of communication within the app differently.

But how do you create that software without the ability to limit what other apps can do? It's impossible on an "open" system.

But how do you create that software without the ability to limit what other apps can do? It's impossible on an "open" system.

It should be built into the OS. But of course it can be done on an "open" system, how else does one write a firewall app for Linux? The problem being that it can be subverted on an open system, too, for the same reason

People need to think beyond the developer's motives, the moment your personal data is duplicated over many different servers in a way that ultimately can be uniquely identifiable then your risk and exposure to data theft increases significantly. I'm less worried about the advertiser's motives, and definitely more worried about lax security. The best safeguard against this is always to resist any push from 3rd parties to collect sensitive information, that is your only true security option.

So in other words, this isn't really an exchange situation. The closed platform has all the same problems, but just harder (maybe impossible) to detect and fix.

This area becomes subjective really fast, but to some extent you can look at the motivation of the platform vendor. On the one hand you have an advertising company that makes its money promoting ads. On the other hand you have a computer company that makes its money selling hardware. Which of these is more likely to limit practices that facilitate advertising?

More specifically, what Android users really need to use on a regular basis is software which by default blacklists all forms of communication until the user whitelists the app. Even better, the same software could add features which allow one to separately blacklist/whitelist communication which uses specific features like GPS while treating all other forms of communication within the app differently.

So basically what you're saying is that the Android OS need Virus, Malware and Spyware software in order for the stupid thing to run. Sounds to much like the Windows environment, no thank you.

As with every security research results surfacing these days there is a great deal of FUD involved, it's probably the attempts of security researches and sellers to remain relevant on the client side in the age of the smartphone.

It boils down to the fact that this is an open marketplace, if you don't trust the publisher of an application don't use it.

But how do you create that software without the ability to limit what other apps can do? It's impossible on an "open" system.

It should be built into the OS. But of course it can be done on an "open" system, how else does one write a firewall app for Linux? The problem being that it can be subverted on an open system, too, for the same reason

So basically, you can make the argument that a system which limits developers to using specific APIs and prohibits apps from certain access can be of benefit to the user.

More specifically, what Android users really need to use on a regular basis is software which by default blacklists all forms of communication until the user whitelists the app. Even better, the same software could add features which allow one to separately blacklist/whitelist communication which uses specific features like GPS while treating all other forms of communication within the app differently.

So basically what you're saying is that the Android OS need Virus, Malware and Spyware software in order for the stupid thing to run. Sounds to much like the Windows environment, no thank you.

However, I'm shocked that this is happening. I take my privacy seriously. Rogue apps secretly giving away my personal data may just make me ditch the Android OS unless someone can come up with an easy way to detect such apps.

Makes you think if pre-approval (Apple-style) is such a bad idea after all...

So basically, you can make the argument that a system which limits developers to using specific APIs and prohibits apps from certain access can be of benefit to the user.

Not sure if you are posing this as a good thing or a bad thing. Any cellphone platform is already firewalled to some degree - you cannot, from the app layer, directly reprogram the baseband processor. There is simply no API and no mechanism, for instance, to write an Android (or iPhone) app that says "Turn the Tx on at +10dBm, CW output, f=1906.37745MHz". You'd not get regulatory approval for a phone that allows arbitrary third-party software to access such functions.

Simply the fact that the "native" Android apps in fact run in a VM provides the OS vendor with a designed-in opportunity to build privacy firewalling in at a level that the app layer cannot (theoretically) subvert. And they already do, up to a point; hence the warnings when you install an Android app. What I want to see is more granularity there; the ability to deny specific applications specific services that I don't think they deserve. For example, there is no legitimate reason for any application other than the phone app to be dialing voice calls.

On the one hand you have an advertising company that makes its money promoting ads. On the other hand you have a computer company that makes its money selling hardware. Which of these is more likely to limit practices that facilitate advertising?

As you said, it's subjective, but Apple is not truly a hardware company any more. Hardware is commoditized. Apple's value proposition is iTMS and the surrounding services. It just so happens that they want to direct every aspect of the user's interaction with their service plans, hence they "do" their own hardware. Once Steve Jobs is parked in his iTomb and other, less paranoid heads direct Apple, it's conceivable that they will ditch this vertical integration and spin off the hardware to an OEM partner (since they don't actually make anything anyway; it's all contract built).

On the one hand you have an advertising company that makes its money promoting ads. On the other hand you have a computer company that makes its money selling hardware. Which of these is more likely to limit practices that facilitate advertising?

As you said, it's subjective, but Apple is not truly a hardware company any more. Hardware is commoditized. Apple's value proposition is iTMS and the surrounding services. It just so happens that they want to direct every aspect of the user's interaction with their service plans, hence they "do" their own hardware. Once Steve Jobs is parked in his iTomb and other, less paranoid heads direct Apple, it's conceivable that they will ditch this vertical integration and spin off the hardware to an OEM partner (since they don't actually make anything anyway; it's all contract built).

Their business is about the user experience. It's why regular Janes and Joes enjoy devices that don't feel like technology and what nerds condemn as superficial fluff. Going to a Dell-like or MS-like model would mean handing over the total (not just software) user experience to the nerdocracy. That would not be good for Apple.

This is the reason why before I install an application I verify first the required permissions. If are not ok, but still I want to install the app then I disable Wi-Fi / Data connection. Sure, this works for applications like games or apps that are not online... Also, if I'm lazy to verify something from my phone, I use a site http://androlicious.com where I can see if an application is safe or not.

This works great for you but Android is a consumer device sold to millions. The large majority of consumers do not have the time, desire, or technical capability to do this. The security and privacy capabilities of Android should be designed so that the majority of consumers are getting reasonable privacy protection by default. On Android, an application that can get past the permission screen (which most consumers probably don't understand and/or read) can automatically send your GPS position and identifying information to anyone with no further indication to the consumer that this is happening or any way to disable it short of turning off the data connection or deleting the app. On top of that, this is considered acceptable behavior on the Android market and falls within Google's guidelines.

Personally, I do not find this acceptable. The Android security/privacy architecture is inadequate as it does not make this data gathering difficult and/or more transparent. Google's Market guidelines are also inadequate as they do not prohibit this behavior. This is a situation where Apple is doing it right. iOS is designed to make this type of data gathering more transparent and Apple's developer guidelines prohibit this behavior without clear user consent. Do some things slip through onto the App Store -- probably. Is it open season for this behavior like on the Android Market -- absolutely not.

Their business is about the user experience. It's why regular Janes and Joes enjoy devices that don't feel like technology and what nerds condemn as superficial fluff. Going to a Dell-like or MS-like model would mean handing over the total (not just software) user experience to the nerdocracy. That would not be good for Apple.

Maybe. Really my point is that Apple's goal is not to maximize hardware sales, but to maximize utilization of their S/W infrastructure. So they are MUCH more like Google than, say, Dell. Dell is a pure hardware play; they are never going to attract third party developers to build Dell-only software Apple and Google, on the other hand, are both trying to encourage third-party devs to build S/W for their platforms, and that includes providing all these surreptitious data collection paths for the endless swamp of advertising sewage through which we all wade these days.

However, I'm shocked that this is happening. I take my privacy seriously. Rogue apps secretly giving away my personal data may just make me ditch the Android OS unless someone can come up with an easy way to detect such apps.

Makes you think if pre-approval (Apple-style) is such a bad idea after all...

i have no problem with something like android app store apps are pre-approved or whatever, but you are allowed to side load shit that didn't get approved and take your chances.

so basically google would keep the shit outta the store like apple and 99% of the users would have no issues. but if you want to install pornoapp off some rogue site and get all your shit stolen then fair enough, take your chances.

Free software is like communism; it is indeed harmful and full of lies

(innocent look) Exactly like capitalism, eh? *HUMANITY* is harmful and full of lies. Any system contains loopholes, and any system used by a sufficiently large number of people will be attacked by people wishing to do evil things with those loopholes. Any method of protection intended to cover such loopholes will prevent legitimate uses of the system and cause annoyance. Also, any such system designed to make money will have hooks and barriers in it that are designed to herd cattle^H^H^H^H^H^Husers into revenue-producing parts of the farm.

In summary: People are a problem, especially when systems that make money or attract members of the opposite sex are involved. But I'd rather have a system that I can inspect and modify than one where I have to trust a pope that what I have is what I want (and what I think it is).

More reasons as to why Android is the wrong platform for the customersFree software is like communism; it is indeed harmful and full of lies

Why do you use the Internet then? Free and open source applications and frameworks like Apache, MySQL, PHP, jQuery, Yii, etc. are in use by many web sites or do you only visit sites that use paid applications, like those run on MS servers?

It kind of sucks that in order to use these current technologies, one has to trust these "good consumer companies" that they will NOT do anything nefarious with your personal information. It's getting really hard to find companies that are good corporate citizens these days. After all the entire purpose of any corporation is to maximize profits at what turns out to be any cost. This is exactly why the 'commerce clause' exist in our constitution. I wish our politicians and regulators would do their freakin jobs instead being real cozy with the regulated. Just look at the J&J hearing going on now. Profits before anything else.

More reasons as to why Android is the wrong platform for the customersFree software is like communism; it is indeed harmful and full of lies

Why do you use the Internet then? Free and open source applications and frameworks like Apache, MySQL, PHP, jQuery, Yii, etc. are in use by many web sites or do you only visit sites that use paid applications, like those run on MS servers?

I rather use Apps hosted by Apple or Microsoft than free stuff by Google. Open Source movement is harmful and customers must be educated to avoid it. Like everything in else, the proper way to encourage and make developers better is to let patent their software and commercialize it. Open Source is an excuse to justify poor quality software and destroy the industry

larwe wrote:

Quote:

Free software is like communism; it is indeed harmful and full of lies

(innocent look) Exactly like capitalism, eh? *HUMANITY* is harmful and full of lies. Any system contains loopholes, and any system used by a sufficiently large number of people will be attacked by people wishing to do evil things with those loopholes. Any method of protection intended to cover such loopholes will prevent legitimate uses of the system and cause annoyance. Also, any such system designed to make money will have hooks and barriers in it that are designed to herd cattle^H^H^H^H^H^Husers into revenue-producing parts of the farm.

In summary: People are a problem, especially when systems that make money or attract members of the opposite sex are involved. But I'd rather have a system that I can inspect and modify than one where I have to trust a pope that what I have is what I want (and what I think it is).

Open Source is a problem and must be dealt with. This is something that threatens the privacy of customers and I hope government is sane enough to do something about it